security code scanner reports possible double-free / uaf #140
Description
Hello,
Openscanhub code security scanner reports a possible double-free / use-after-free at src/qatzip.c:3929:
Defect type: USE_AFTER_FREE
7. QATzip-1.3.1/src/qatzip.c:3907:17: freed_arg: "AsyncDeCompressIn" frees "req".
19. QATzip-1.3.1/src/qatzip.c:3523:21: freed_arg: "CallAsyncbackfn" frees parameter "req".
20. QATzip-1.3.1/src/qatzip.c:3105:5: var_assign_parm: Assigning: "req" = "*req_pointer".
22. QATzip-1.3.1/src/qatzip.c:3113:5: freed_arg: "free" frees parameter "req".
32. QATzip-1.3.1/src/qatzip.c:3927:17: deref_after_free: Dereferencing freed pointer "req".
# 3925| /* req callback when offload failed */
# 3926| if (QZ_OK != rc && req != NULL) {
# 3927|-> req->qzResults->status = rc;
# 3928| req->qzAsyncallback(req->qzResults);
# 3929| free(req);
Indeed, *req_pointer = NULL; zeroes out req on stack of AsyncDeCompressIn(). And not req defined in AsyncReqConsumeJob(). Still, the memory it points to is freed.
This req is later compared to NULL here but it is not NULL. And it points to already-freed memory which is freed for the 2nd time. Then double-free happens:
free(): double free detected in tcache 2
Aborted (core dumped)
I believe AsyncDeCompressIn() should take &req as an argument, not just req for the above to work as intended. Could you please have a look and probably fix? Thank you!